Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

x/vulndb: potential Go vuln in go.etcd.io/etcd: GHSA-pm3m-32r3-7mfh #2529

Closed
GoVulnBot opened this issue Feb 3, 2024 · 3 comments
Closed
Assignees
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.

Comments

@GoVulnBot
Copy link

In GitHub Security Advisory GHSA-pm3m-32r3-7mfh, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
go.etcd.io/etcd 3.3.23 < 3.3.23

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: go.etcd.io/etcd
      versions:
        - fixed: 3.3.23
      packages:
        - package: go.etcd.io/etcd
    - module: go.etcd.io/etcd
      versions:
        - introduced: TODO (earliest fixed "3.4.10", vuln range ">= 3.4.0-rc.0, <= 3.4.9")
      packages:
        - package: go.etcd.io/etcd
summary: |-
    Etcd embed auto compaction retention negative value causing a compaction loop or
    a crash
ghsas:
    - GHSA-pm3m-32r3-7mfh
references:
    - advisory: https://github.com/etcd-io/etcd/security/advisories/GHSA-pm3m-32r3-7mfh
    - advisory: https://github.com/advisories/GHSA-pm3m-32r3-7mfh

@zpavlinovic zpavlinovic added the excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. label Feb 12, 2024
@zpavlinovic
Copy link
Contributor

Future reference: the fix/symbols are mentioned in the security audit on page 30.

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/563538 mentions this issue: data/excluded: add GO-2024-2529.yaml

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/592778 mentions this issue: data/reports: unexclude 80 reports

gopherbot pushed a commit that referenced this issue Jun 28, 2024
  - data/reports/GO-2024-2521.yaml
  - data/reports/GO-2024-2434.yaml
  - data/reports/GO-2024-2537.yaml
  - data/reports/GO-2024-2432.yaml
  - data/reports/GO-2024-2483.yaml
  - data/reports/GO-2024-2480.yaml
  - data/reports/GO-2024-2433.yaml
  - data/reports/GO-2024-2530.yaml
  - data/reports/GO-2024-2556.yaml
  - data/reports/GO-2024-2472.yaml
  - data/reports/GO-2024-2540.yaml
  - data/reports/GO-2024-2560.yaml
  - data/reports/GO-2024-2561.yaml
  - data/reports/GO-2024-2590.yaml
  - data/reports/GO-2024-2428.yaml
  - data/reports/GO-2024-2508.yaml
  - data/reports/GO-2024-2592.yaml
  - data/reports/GO-2024-2511.yaml
  - data/reports/GO-2024-2491.yaml
  - data/reports/GO-2024-2479.yaml
  - data/reports/GO-2024-2509.yaml
  - data/reports/GO-2024-2589.yaml
  - data/reports/GO-2024-2496.yaml
  - data/reports/GO-2024-2505.yaml
  - data/reports/GO-2024-2558.yaml
  - data/reports/GO-2024-2430.yaml
  - data/reports/GO-2024-2594.yaml
  - data/reports/GO-2024-2431.yaml
  - data/reports/GO-2024-2488.yaml
  - data/reports/GO-2024-2495.yaml
  - data/reports/GO-2024-2557.yaml
  - data/reports/GO-2024-2442.yaml
  - data/reports/GO-2024-2593.yaml
  - data/reports/GO-2024-2512.yaml
  - data/reports/GO-2024-2528.yaml
  - data/reports/GO-2024-2529.yaml
  - data/reports/GO-2024-2588.yaml
  - data/reports/GO-2024-2562.yaml
  - data/reports/GO-2024-2441.yaml
  - data/reports/GO-2024-2591.yaml
  - data/reports/GO-2024-2477.yaml
  - data/reports/GO-2024-2448.yaml
  - data/reports/GO-2024-2510.yaml
  - data/reports/GO-2024-2564.yaml
  - data/reports/GO-2024-2476.yaml
  - data/reports/GO-2024-2527.yaml
  - data/reports/GO-2024-2481.yaml
  - data/reports/GO-2024-2445.yaml
  - data/reports/GO-2024-2457.yaml
  - data/reports/GO-2024-2446.yaml
  - data/reports/GO-2024-2447.yaml
  - data/reports/GO-2024-2501.yaml
  - data/reports/GO-2024-2440.yaml
  - data/reports/GO-2024-2500.yaml
  - data/reports/GO-2024-2444.yaml
  - data/reports/GO-2024-2550.yaml
  - data/reports/GO-2024-2523.yaml
  - data/reports/GO-2024-2516.yaml
  - data/reports/GO-2024-2531.yaml
  - data/reports/GO-2024-2595.yaml
  - data/reports/GO-2024-2520.yaml
  - data/reports/GO-2024-2582.yaml
  - data/reports/GO-2024-2485.yaml
  - data/reports/GO-2024-2541.yaml
  - data/reports/GO-2024-2563.yaml
  - data/reports/GO-2024-2532.yaml
  - data/reports/GO-2024-2450.yaml
  - data/reports/GO-2024-2515.yaml
  - data/reports/GO-2024-2499.yaml
  - data/reports/GO-2024-2514.yaml
  - data/reports/GO-2024-2535.yaml
  - data/reports/GO-2024-2458.yaml
  - data/reports/GO-2024-2449.yaml
  - data/reports/GO-2024-2549.yaml
  - data/reports/GO-2024-2517.yaml
  - data/reports/GO-2024-2478.yaml
  - data/reports/GO-2024-2559.yaml
  - data/reports/GO-2024-2486.yaml
  - data/reports/GO-2024-2513.yaml
  - data/reports/GO-2024-2565.yaml

Updates #2521
Updates #2434
Updates #2537
Updates #2432
Updates #2483
Updates #2480
Updates #2433
Updates #2530
Updates #2556
Updates #2472
Updates #2540
Updates #2560
Updates #2561
Updates #2590
Updates #2428
Updates #2508
Updates #2592
Updates #2511
Updates #2491
Updates #2479
Updates #2509
Updates #2589
Updates #2496
Updates #2505
Updates #2558
Updates #2430
Updates #2594
Updates #2431
Updates #2488
Updates #2495
Updates #2557
Updates #2442
Updates #2593
Updates #2512
Updates #2528
Updates #2529
Updates #2588
Updates #2562
Updates #2441
Updates #2591
Updates #2477
Updates #2448
Updates #2510
Updates #2564
Updates #2476
Updates #2527
Updates #2481
Updates #2445
Updates #2457
Updates #2446
Updates #2447
Updates #2501
Updates #2440
Updates #2500
Updates #2444
Updates #2550
Updates #2523
Updates #2516
Updates #2531
Updates #2595
Updates #2520
Updates #2582
Updates #2485
Updates #2541
Updates #2563
Updates #2532
Updates #2450
Updates #2515
Updates #2499
Updates #2514
Updates #2535
Updates #2458
Updates #2449
Updates #2549
Updates #2517
Updates #2478
Updates #2559
Updates #2486
Updates #2513
Updates #2565

Change-Id: I9920757c40e457cb5d033ef0e0a99deb6a5c29b5
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/592778
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Projects
None yet
Development

No branches or pull requests

3 participants